Offloading NP4 anomaly detection

Offloading NP4 anomaly detection

Network interfaces associated with a port attached to an NP4 processor can be configured to offload anomaly checking to the NP4 processor. This anomaly checking happens before other offloading and separately from DoS policy anomaly checking. Using the following command, each FortiGate interface can have a different anomaly checking configuration even if they are connected to the same NP4 processor.

The options available for this command apply anomaly checking for NP4 sessions in the same way as the command descrbed in Configuring individual NP6 processors on page 1215 applies anomaly checking for for NP6 sessions.

config system interface edit <port-name>

set fp-anomaly <anomalies>

end

where <anomalies> can be one, more than one or all of the following:

Anomaly Description

drop_icmp_frag Drop ICMP fragments to pass.

drop_icmpland Drop ICMP Land.

drop_ipland Drop IP Land.

drop_iplsrr Drop IP with Loose Source Record Route option.

drop_iprr Drop IP with Record Route option.

drop_ipsecurity Drop IP with Security option.

drop_ipssrr Drop IP with Strict Source Record Route option.

drop_ipstream Drop IP with Stream option.

drop_iptimestamp Drop IP with Timestamp option.

Anomaly Description

drop_ipunknown_

option

Drop IP with malformed option.
drop_ipunknown_

prot

drop_tcp_fin_

noack

Drop IP with Unknown protocol.

Drop TCP FIN with no ACT flag set to pass.

drop_tcp_no_flag Drop TCP with no flag set to pass.

drop_tcpland Drop TCP Land.

drop_udpland Drop UDP Land.

drop_winnuke Drop TCP WinNuke.

pass_icmp_frag Allow ICMP fragments to pass.

pass_icmpland Allow ICMP Land to pass.

pass_ipland Allow IP land to pass.

pass_iplsrr Allow IP with Loose Source Record Route option to pass.

pass_iprr Allow IP with Record Route option to pass.

pass_ipsecurity Allow IP with Security option to pass.

pass_ipssrr Allow IP with Strict Source Record Route option to pass.

pass_ipstream Allow IP with Stream option to pass.

pass_iptimestamp Allow IP with Timestamp option to pass.

pass_ipunknown_

option

Allow IP with malformed option to pass.

pass_ipunknown_

prot

pass_tcp_fin_

noack

Allow IP with Unknown protocol to pass.

Allow TCP FIN with no ACT flag set to pass.

pass_tcp_no_flag Allow TCP with no flag set to pass.

Anomaly Description

pass_tcpland Allow TCP Land to pass.

pass_udpland Allow UDP Land to pass.

pass_winnuke Allow TCP WinNuke to pass.

Example

You might configure an NP4 to drop packets with TCP WinNuke or unknown IP protocol anomalies, but to pass packets with an IP time stamp, using hardware acceleration provided by the network processor.

MikeHaving trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!